[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: (ITS#4180) slapd (back-sql) hangs/segfaults on SASL bind

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#4180) slapd (back-sql) hangs/segfaults on SASL bind
From: Nels@maei.ca
Date: Fri, 18 Nov 2005 21:45:07 GMT
On 18 Nov 2005 at 19:03, Pierangelo Masarati wrote:

> Another thing you may want to try is step with the debugger into
> slap_sasl_canonicalize(), which sets the values later retrieved in
> slap_sasl_authorized; the first time it's called, it's supposed to set
> the slapAuthcDN, and the second time the slapAuthzDN, which is the
> offending value in your issue.  You may want to take note of the values
> that are being set, and compare them with those retrieved later.
> 
> (gdb) p sizeof(dn)
> $33 = 16
> (gdb) p ((char *)&dn)[0]@16
> $34 = "\"\000\000\000\000\000\000\000 f\005\226*\000\000"

Breakpoint 1, slap_sasl_canonicalize (sconn=0x9f3d1d0, context=0xb757cb88, 
    in=0x9f3e510 "nels", inlen=135677768, flags=1, user_realm=0x0, 
    out=0x9f3dbe1 "", out_max=256, out_len=0x9f3da40) at sasl.c:543
543             Connection *conn = (Connection *)context;

[...]

629             prop_set( props, names[0], (char *)&dn, sizeof( dn ) );
(gdb) p sizeof(dn)
$1 = 8
(gdb) p ((char *)&dn)[0]@8
$2 = "\035\000\000\000¨÷É¶"

629             prop_set( props, names[0], (char *)&dn, sizeof( dn ) );
(gdb) p sizeof(dn)
$3 = 8
(gdb) p ((char *)&dn)[0]@8
$4 = "\035\000\000\000¨÷É¶"

627             names[1] = NULL;
(gdb) 
629             prop_set( props, names[0], (char *)&dn, sizeof( dn ) );
(gdb) p sizeof(dn)
$5 = 8
(gdb) p ((char *)&dn)[0]@8
$6 = "\035\000\000\000¨÷É¶"
 
> (note that "dn" has size 16 on my amd64; it should be quite different on
> a 32 but architecture; actually your postings suggest a size of 8 for
> the slapAuthcDN, and a puzzling size of 6 for the offending saslAuthzDN,
> which I suspect being just garbage.)
> 
> The second time, same stuff: 

Second time through, it never made it to prop_set().  Here's the 
entire step-through:

Breakpoint 1, slap_sasl_canonicalize (sconn=0x9f3d1d0, 
context=0xb757cb88, 
    in=0x9f3e510 "nels", inlen=135677768, flags=2, user_realm=0x0, 
    out=0x9f3dae0 "", out_max=256, out_len=0x9f3da3c) at sasl.c:543
543             Connection *conn = (Connection *)context;
544             struct propctx *props = sasl_auxprop_getctx( sconn );
542     {
543             Connection *conn = (Connection *)context;
545             struct propval auxvals[3] = { 0 };
544             struct propctx *props = sasl_auxprop_getctx( sconn );
545             struct propval auxvals[3] = { 0 };
551             *out_len = 0;
556                     in ? in : "<empty>");
561             if ( inlen > out_max )
569             if ( !conn->c_sasl_bindop ||
573             prop_getnames( props, slap_propnames, auxvals );
574             if ( !auxvals[0].name )
577             if ( flags & SASL_CU_AUTHID )
583             if ( !auxvals[PROP_CONN].values ) {
577             if ( flags & SASL_CU_AUTHID )
583             if ( !auxvals[PROP_CONN].values ) {
590             if ( auxvals[which].values )
636             AC_MEMCPY( out, in, inlen );
637             out[inlen] = '\0';
639             *out_len = inlen;
641             return SASL_OK;
642     }
 
> (gdb) p sizeof(dn)
> $36 = 16
> (gdb) p ((char *)&dn)[0]@16
> $37 = "\"\000\000\000\000\000\000\000 @\n\226*\000\000"
> 
> Then, in slap_sasl_authorize(), after
> 
> 678             prop_getnames( props, slap_propnames+1, auxvals );
> 
> (gdb) p ((struct berval*)auxvals[0].values[0])[0]
> $38 = {bv_len = 34, bv_val = 0x2a960566b8 "cn=mitya kovalev,dc=example,dc=com"}
> (gdb) p ((struct berval*)auxvals[1].values[0])[0]
> $39 = {bv_len = 34, bv_val = 0x2a960a40e8 "cn=mitya kovalev,dc=example,dc=com"}

(gdb) p ((struct berval*)auxvals[0].values[0])[0]
$7 = {bv_len = 29, bv_val = 0xb6c9f7a8 "cn=nels lindquist,o=maei,c=ca"}
(gdb) p ((struct berval*)auxvals[1].values[0])[0]
$8 = {bv_len = 1685217607, 
  bv_val = 0x47006e65 <Address 0x47006e65 out of bounds>}
(gdb) p auxvals
$9 = {{name = 0x811e3d9 "*slapAuthcDN", values = 0x9f54114, nvalues = 1, 
    valsize = 8}, {name = 0x811e3e6 "*slapAuthzDN", values = 0x9f5412c, 
    nvalues = 1, valsize = 6}, {name = 0x0, values = 0x0, nvalues = 0, 
    valsize = 0}}

> (authorizing self.)  Note the contents of the auxvals datum:
> 
> (gdb) p auxvals
> $40 = {{name = 0x6629da "*slapAuthcDN", values = 0x97fb68, nvalues = 1, valsize = 16},
>     {name = 0x6629e7 "*slapAuthzDN", values = 0x97fb88, nvalues = 1, valsize = 16},
>     {name = 0x0, values = 0x0, nvalues = 0, valsize = 0}}
> 
> If I don't use any authorization:
> 
> (gdb) p auxvals
> $41 = {{name = 0x6629da "*slapAuthcDN", values = 0x97fb68, nvalues = 1, valsize = 16},
>     {name = 0x6629e7 "*slapAuthzDN", values = 0x0, nvalues = 0, valsize = 0},
>     {name = 0x0, values = 0x0, nvalues = 0, valsize = 0}}
> 
> That's why I believe something weird is going on in your system when the
> values are set, or between the time they're set and the time they're
> read back into slapd.

----
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.
Prev by Date: Re: (ITS#4180) slapd (back-sql) hangs/segfaults on SASL bind
Next by Date: (ITS#4185) duplicate/inconsistent attributeTypes may pollute OID/name space with dangling pointer(s)
Index(es):
- Chronological
- Thread